Why my auth user pass doesn't work?

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).
Vast
OpenVpn Newbie
Posts: 5
Joined: Thu Nov 24, 2016 8:18 am

Why my auth user pass doesn't work?

Postby Vast » Thu Nov 24, 2016 9:32 am

#server.conf
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 114.114.115.115"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

-------------------
#clent.ovpn
client
dev tun
proto udp
remote 139.217.21.10 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert user-1.crt
key user-1.key

---------------
when I use two .conf file above ,I can succesfully connect to my VPS(OpenLogic 7 x64 of Azure VPS).
Later I want to use the auth-user-pass-verify method to share VPN with my friends. So I follow http://edoceo.com/howto/openvpn-auth-user-pass-verify and add

Code: Select all

auth-user-pass-verify checkpsw.sh via-env
script-security 3 execve


to my server.conf and edited client.ovpn :

client
dev tun
proto udp
remote 139.217.21.10 1194
resolv-retry infinite
nobind
persist-key
persist-tun

auth-user-pass

comp-lzo
verb 3
ca ca.crt
#cert user-1.crt
#key user-1.key


here is checkpsw.sh (I have used chmod -x checkpsw.sh and chmod 700 * in /etc/openvpn/)
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################


if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1


-----------------------------------------------------------------------------------------
But when I try to connect . it failed:
Thu Nov 24 17:30:12 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan 4 2016
Thu Nov 24 17:30:12 2016 Windows version 6.2 (Windows 8 or greater)
Thu Nov 24 17:30:12 2016 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.09
Thu Nov 24 17:30:12 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Thu Nov 24 17:30:12 2016 Need hold release from management interface, waiting...
Thu Nov 24 17:30:12 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Thu Nov 24 17:30:12 2016 MANAGEMENT: CMD 'state on'
Thu Nov 24 17:30:12 2016 MANAGEMENT: CMD 'log all on'
Thu Nov 24 17:30:12 2016 MANAGEMENT: CMD 'hold off'
Thu Nov 24 17:30:12 2016 MANAGEMENT: CMD 'hold release'
Thu Nov 24 17:30:15 2016 MANAGEMENT: CMD 'username "Auth" "001"'
Thu Nov 24 17:30:15 2016 MANAGEMENT: CMD 'password [...]'
Thu Nov 24 17:30:15 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Nov 24 17:30:15 2016 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Nov 24 17:30:15 2016 UDPv4 link local: [undef]
Thu Nov 24 17:30:15 2016 UDPv4 link remote: [AF_INET]139.217.21.10:1194
Thu Nov 24 17:30:15 2016 MANAGEMENT: >STATE:1479979815,WAIT,,,
Thu Nov 24 17:30:15 2016 MANAGEMENT: >STATE:1479979815,AUTH,,,
Thu Nov 24 17:30:15 2016 TLS: Initial packet from [AF_INET]139.217.21.10:1194, sid=0aab71cc dd682949
Thu Nov 24 17:30:15 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Nov 24 17:30:15 2016 VERIFY OK: depth=1, C=HK, ST=NA, L=HK, O=My Company, OU=MyOrganizationalUnit, CN=My Company CA, name=EasyRSA, emailAddress=root@vast
Thu Nov 24 17:30:15 2016 VERIFY OK: depth=0, C=HK, ST=NA, L=HK, O=My Company, OU=MyOrganizationalUnit, CN=server, name=EasyRSA, emailAddress=root@vast
Thu Nov 24 17:30:15 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Nov 24 17:30:15 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov 24 17:30:15 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Nov 24 17:30:15 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Nov 24 17:30:15 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Nov 24 17:30:15 2016 [server] Peer Connection Initiated with [AF_INET]139.217.21.10:1194
Thu Nov 24 17:30:16 2016 MANAGEMENT: >STATE:1479979816,GET_CONFIG,,,
Thu Nov 24 17:30:17 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Thu Nov 24 17:30:17 2016 AUTH: Received control message: AUTH_FAILED
Thu Nov 24 17:30:17 2016 SIGUSR1[soft,auth-failure] received, process restarting
Thu Nov 24 17:30:17 2016 MANAGEMENT: >STATE:1479979817,RECONNECTING,auth-failure,,
Thu Nov 24 17:30:17 2016 Restart pause, 2 second(s)


So……Where is the problem? I'm crazy about these for 2 days !

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2595
Joined: Fri Jun 03, 2016 1:17 pm

Re: Why my auth user pass doesn't work?

Postby TinCanTech » Thu Nov 24, 2016 1:31 pm

The tutorial you have followed is more than five years out of date ..

Vast
OpenVpn Newbie
Posts: 5
Joined: Thu Nov 24, 2016 8:18 am

Re: Why my auth user pass doesn't work?

Postby Vast » Fri Nov 25, 2016 4:00 am

TinCanTech wrote:The tutorial you have followed is more than five years out of date ..

I found that checkpsw.sh was wrong.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2595
Joined: Fri Jun 03, 2016 1:17 pm

Re: Why my auth user pass doesn't work?

Postby TinCanTech » Fri Nov 25, 2016 11:26 am

What is wrong with it ? (I have not checked it)

Vast
OpenVpn Newbie
Posts: 5
Joined: Thu Nov 24, 2016 8:18 am

Re: Why my auth user pass doesn't work?

Postby Vast » Fri Nov 25, 2016 4:03 pm

TinCanTech wrote:What is wrong with it ? (I have not checked it)

I have write a checkpsw.sh by myself and I think it can replace the old .sh. Now it's working

Code: Select all

# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="psw-file"
LOG_FILE="login-auth.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################
if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi



# using th re(Regular Expressions)
#CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="${username}"{print $2;exit}' ${PASSFILE}`
CORRECT_PASSWORD=$(grep -oP "(?<=^$username\s).+$" $PASSFILE)

if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1


Return to “Authentication Scripts”

Who is online

Users browsing this forum: No registered users and 1 guest